General
-
Target
2024-03-16_95c18f6292d8a7a42dd4cf5cef93506f_cobalt-strike_cobaltstrike_ryuk
-
Size
416KB
-
Sample
240316-kn3tvsfe7t
-
MD5
95c18f6292d8a7a42dd4cf5cef93506f
-
SHA1
55925816c789ddb20221981c2d48693dffe726c0
-
SHA256
f5c9fc7828a84788618745dd905ec9f3ac6caf5722dcd44e9a3ca04c619a661b
-
SHA512
c13032e0d12ea6bee5b51537743d80c0f490adaf82d9e19a58e4dde445f5557257ffa9ed5c3baa6c74e3ed32c58441b833e759c3971329dfe3b86503b9e9eb5c
-
SSDEEP
12288:F1NBuorXYZQZDtrRpjr1VMvv4JMJMPIAZXcHX:FnB6QZZrRekU
Malware Config
Extracted
cobaltstrike
100000000
http://acbtpay.shop:8443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
acbtpay.shop,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAASSG9zdDogYWNidHBheS5zaG9wAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAASSG9zdDogYWNidHBheS5zaG9wAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
8443
-
sc_process32
%windir%\syswow64\mcbuilder.exe
-
sc_process64
%windir%\sysnative\mcbuilder.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2oE7pOlCOEfF+8x95tWlM6ccuEnZkp4LJ6nmr2cW3hlkv17ZRBb/9RfRdF+KZmgHVr+31OzRyrCQopxvxa2it9G90aFqb6xUk7pZDp8WWc1FMhDVa4BRuggbDe6YZczfSCSStC6dNSq+xqm31pCGNDEZjXo3XB0gTjnxuvnrv4wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/99.0
-
watermark
100000000
Targets
-
-
Target
2024-03-16_95c18f6292d8a7a42dd4cf5cef93506f_cobalt-strike_cobaltstrike_ryuk
-
Size
416KB
-
MD5
95c18f6292d8a7a42dd4cf5cef93506f
-
SHA1
55925816c789ddb20221981c2d48693dffe726c0
-
SHA256
f5c9fc7828a84788618745dd905ec9f3ac6caf5722dcd44e9a3ca04c619a661b
-
SHA512
c13032e0d12ea6bee5b51537743d80c0f490adaf82d9e19a58e4dde445f5557257ffa9ed5c3baa6c74e3ed32c58441b833e759c3971329dfe3b86503b9e9eb5c
-
SSDEEP
12288:F1NBuorXYZQZDtrRpjr1VMvv4JMJMPIAZXcHX:FnB6QZZrRekU
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-